<!-- Converted by db4-upgrade version 1.0 -->
<article xmlns="http://docbook.org/ns/docbook" version="5.0" class="faq">
-
+
<info>
<copyright>
<year>2004</year>
</copyright>
</info>
<qandaset defaultlabel="qanda">
-
- <qandadiv><title>Compilation and Installation Questions</title>
-
+
+ <qandadiv><title>Compilation and Installation Questions</title>
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</question>
<answer>
<para>
- Short Answer: No.
+ Short Answer: No.
</para>
<para>
Long Answer: There really isn't a default configuration which fits
</para>
</answer>
</qandaentry>
-
+
</qandadiv> <!-- Compilation and Installation Questions -->
-
+
<qandadiv><title>Configuration and Setup Questions</title>
<qandaentry>
</informalexample>
</answer>
</qandaentry>
-
+
<qandaentry>
<!-- configuration -->
<question>
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</informalexample>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</informalexample>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</programlisting>
</answer>
</qandaentry>
-
+
</qandadiv> <!-- Configuration and Setup Questions -->
-
+
<qandadiv><title>Operations Questions</title>
<qandaentry>
</qandadiv> <!-- Operations Questions -->
<qandadiv><title>General Questions</title>
-
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</answer>
</qandaentry>
- <qandaentry>
+ <qandaentry>
<question>
<para>
I don't get RRSIG's returned when I use "dig +dnssec".
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</qandaentry>
</qandadiv> <!-- General Questions -->
-
+
<qandadiv><title>Operating-System Specific Questions</title>
<qandadiv><title>HPUX</title>
</qandadiv> <!-- HPUX -->
<qandadiv><title>Linux</title>
-
+
<qandaentry>
- <question>
+ <question>
<para>
Why do I get the following errors:
<programlisting>general: errno2result.c:109: unexpected error:
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
able to write or create files except in the directories
above, with SELinux in Enforcing mode.
</para>
-
+
<para>
So, to allow named to update slave or DDNS zone files,
it is best to locate them in $ROOTDIR/var/named/slaves,
type slave;
file "slaves/slave.zone.db";
...
-};
+};
zone "ddns.zone." IN {
type master;
allow-updates {...};
system-config-securitylevel GUI, using the 'setsebool'
command, or in /etc/selinux/targeted/booleans.
</para>
-
+
<para>
You can disable SELinux protection for named entirely by
setting the 'named_disable_trans=1' SELinux tunable boolean
parameter.
</para>
-
+
<para>
The SELinux named policy defines these SELinux contexts for named:
<informalexample>
</programlisting>
</informalexample>
</para>
-
+
<para>
If you want to retain use of the SELinux policy for named,
and put named files in different locations, you can do
</programlisting>
</informalexample>
</para>
-
+
<para>
To create a custom modifiable named data location, e.g.
'/var/log/named' for a log file, do:
</programlisting>
</informalexample>
</para>
-
+
<para>
To create a custom zone file location, e.g. /root/zones/, do:
<informalexample>
</programlisting>
</informalexample>
</para>
-
+
<para>
See these man-pages for more information : selinux(8),
named_selinux(8), chcon(1), setsebool(8)
</para>
</answer>
</qandaentry>
-
+
</qandadiv> <!-- Linux -->
-
+
<qandadiv><title>Windows</title>
-
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
<qandaentry>
<question>
<para>
</informalexample>
</answer>
</qandaentry>
-
+
</qandadiv> <!-- Windows -->
-
+
<qandadiv><title>FreeBSD</title>
-
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
</qandadiv> <!-- FreeBSD -->
-
+
<qandadiv><title>Solaris</title>
-
+
<qandaentry>
<question>
<para>
</para>
</answer>
</qandaentry>
-
+
</qandadiv> <!-- Solaris -->
<qandadiv><title>Apple Mac OS X</title>
</qandaentry>
</qandadiv> <!-- Apple Mac OS X -->
-
+
</qandadiv> <!-- Operating-System Specific Questions -->
</qandaset>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>named-checkconf</command>
checks the syntax, but not the semantics, of a
<command>named</command> configuration file. The file is parsed
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para><command>named-checkconf</command>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>named-checkzone</command>
checks the syntax and integrity of a zone file. It performs the
same checks as <command>named</command> does when loading a
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
<listitem>
<para>
Check for records that are treated as different by DNSSEC but
- are semantically equal in plain DNS.
+ are semantically equal in plain DNS.
Possible modes are <command>"fail"</command>,
<command>"warn"</command> (default) and
<command>"ignore"</command>.
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para><command>named-checkzone</command>
returns an exit status of 1 if
errors were detected and 0 otherwise.
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citerefentry>
- <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
+ <refentrytitle>named-checkconf</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
<citetitle>RFC 1035</citetitle>,
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
<command>tsig-keygen</command> and <command>ddns-confgen</command>
are invocation methods for a utility that generates keys for use
local DDNS key for use with <command>nsupdate -l</command>:
it does this when a zone is configured with
<command>update-policy local;</command>.
- <command>ddns-confgen</command> is only needed when a
+ <command>ddns-confgen</command> is only needed when a
more elaborate configuration is required: for instance,
if <command>nsupdate</command> is to be used from a remote
system.
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>nsupdate</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>rndc-confgen</command>
generates configuration files
for <command>rndc</command>. It can be used as a
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
</refsection>
<refsection><info><title>EXAMPLES</title></info>
-
+
<para>
To allow <command>rndc</command> to be used with
no manual configuration, run
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>delv</command>
(Domain Entity Lookup & Validation) is a tool for sending
DNS queries and validating the results, using the same internal
</refsection>
<refsection><info><title>SIMPLE USAGE</title></info>
-
+
<para>
A typical invocation of <command>delv</command> looks like:
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
</refsection>
<refsection><info><title>QUERY OPTIONS</title></info>
-
+
<para><command>delv</command>
provides a number of query options which affect the way results are
<listitem>
<para>
Set or clear the display options
- <option>+[no]comments</option>,
+ <option>+[no]comments</option>,
<option>+[no]rrcomments</option>, and
<option>+[no]trust</option> as a group.
</para>
</refsection>
<refsection><info><title>FILES</title></info>
-
+
<para><filename>/etc/bind.keys</filename></para>
<para><filename>/etc/resolv.conf</filename></para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>dig</command>
(domain information groper) is a flexible tool
for interrogating DNS name servers. It performs DNS lookups and
<para>
The IN and CH class names overlap with the IN and CH top level
domain names. Either use the <option>-t</option> and
- <option>-c</option> options to specify the type and class,
+ <option>-c</option> options to specify the type and class,
use the <option>-q</option> the specify the domain name, or
use "IN." and "CH." when looking up these top level domains.
</para>
</refsection>
<refsection><info><title>SIMPLE USAGE</title></info>
-
+
<para>
A typical invocation of <command>dig</command> looks like:
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
</refsection>
<refsection><info><title>QUERY OPTIONS</title></info>
-
+
<para><command>dig</command>
provides a number of query options which affect
</refsection>
<refsection><info><title>MULTIPLE QUERIES</title></info>
-
+
<para>
The BIND 9 implementation of <command>dig </command>
</refsection>
<refsection><info><title>IDN SUPPORT</title></info>
-
+
<para>
If <command>dig</command> has been built with IDN (internationalized
domain name) support, it can accept and display non-ASCII domain names.
reply from the server.
If you'd like to turn off the IDN support for some reason, defines
the <envar>IDN_DISABLE</envar> environment variable.
- The IDN support is disabled if the variable is set when
+ The IDN support is disabled if the variable is set when
<command>dig</command> runs.
</para>
</refsection>
<refsection><info><title>FILES</title></info>
-
+
<para><filename>/etc/resolv.conf</filename>
</para>
<para><filename>${HOME}/.digrc</filename>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>host</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
</refsection>
<refsection><info><title>BUGS</title></info>
-
+
<para>
There are probably too many query options.
</para>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>host</command>
is a simple utility for performing DNS lookups.
</para>
<para>
- The <option>-s</option> option tells <command>host</command>
+ The <option>-s</option> option tells <command>host</command>
<emphasis>not</emphasis> to send the query to the next nameserver
if any server responds with a SERVFAIL response, which is the
reverse of normal stub resolver behavior.
</refsection>
<refsection><info><title>IDN SUPPORT</title></info>
-
+
<para>
If <command>host</command> has been built with IDN (internationalized
- domain name) support, it can accept and display non-ASCII domain names.
+ domain name) support, it can accept and display non-ASCII domain names.
<command>host</command> appropriately converts character encoding of
domain name before sending a request to DNS server or displaying a
reply from the server.
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>Nslookup</command>
is a program to query Internet domain name servers. <command>Nslookup</command>
has two modes: interactive and non-interactive. Interactive mode allows
</refsection>
<refsection><info><title>ARGUMENTS</title></info>
-
+
<para>
Interactive mode is entered in the following cases:
<orderedlist numeration="loweralpha" inheritnum="ignore" continuation="restarts">
</refsection>
<refsection><info><title>INTERACTIVE COMMANDS</title></info>
-
+
<variablelist>
<varlistentry>
<term><constant>host</constant> <optional>server</optional></term>
</refsection>
<refsection><info><title>FILES</title></info>
-
+
<para><filename>/etc/resolv.conf</filename>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>dnssec-dsfromkey</command>
outputs the Delegation Signer (DS) resource record (RR), as defined in
RFC 3658 and RFC 4509, for the given key(s).
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
<para>
Include ZSKs when generating DS records. Without this option,
only keys which have the KSK flag set will be converted to DS
- records and printed. Useful only in zone file mode.
+ records and printed. Useful only in zone file mode.
</para>
</listitem>
</varlistentry>
</refsection>
<refsection><info><title>EXAMPLE</title></info>
-
+
<para>
To build the SHA-256 DS RR from the
<userinput>Kexample.com.+003+26160</userinput>
</refsection>
<refsection><info><title>FILES</title></info>
-
+
<para>
The keyfile can be designed by the key identification
<filename>Knnnn.+aaa+iiiii</filename> or the full file name
</refsection>
<refsection><info><title>CAVEAT</title></info>
-
+
<para>
A keyfile error can give a "file not found" even if the file exists.
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>dnssec-importkey</command>
reads a public DNSKEY record and generates a pair of
.key/.private files. The DNSKEY record may be read from an
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
</para>
</listitem>
</varlistentry>
-
+
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
</para>
</listitem>
</varlistentry>
-
+
<varlistentry>
<term>-v <replaceable class="parameter">level</replaceable></term>
<listitem>
</refsection>
<refsection><info><title>TIMING OPTIONS</title></info>
-
+
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
</refsection>
<refsection><info><title>FILES</title></info>
-
+
<para>
A keyfile can be designed by the key identification
<filename>Knnnn.+aaa+iiiii</filename> or the full file name
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>dnssec-keyfromlabel</command>
generates a key pair of files that referencing a key object stored
in a cryptographic hardware service module (HSM). The private key
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
</refsection>
<refsection><info><title>TIMING OPTIONS</title></info>
-
+
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
</para>
<para>
If the key is being created as an explicit successor to another
- key, then the default prepublication interval is 30 days;
+ key, then the default prepublication interval is 30 days;
otherwise it is zero.
</para>
<para>
</refsection>
<refsection><info><title>GENERATED KEY FILES</title></info>
-
+
<para>
When <command>dnssec-keyfromlabel</command> completes
successfully,
</para>
</listitem>
</itemizedlist>
- <para><command>dnssec-keyfromlabel</command>
+ <para><command>dnssec-keyfromlabel</command>
creates two files, with names based
on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
contains the public key, and
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>dnssec-keygen</command>
generates keys for DNSSEC (Secure DNS), as defined in RFC 2535
and RFC 4034. It can also generate keys for use with
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
</refsection>
<refsection><info><title>TIMING OPTIONS</title></info>
-
+
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
</para>
<para>
If the key is being created as an explicit successor to another
- key, then the default prepublication interval is 30 days;
+ key, then the default prepublication interval is 30 days;
otherwise it is zero.
</para>
<para>
<refsection><info><title>GENERATED KEYS</title></info>
-
+
<para>
When <command>dnssec-keygen</command> completes
successfully,
</para>
</listitem>
</itemizedlist>
- <para><command>dnssec-keygen</command>
+ <para><command>dnssec-keygen</command>
creates two files, with names based
on the printed string. <filename>Knnnn.+aaa+iiiii.key</filename>
contains the public key, and
</refsection>
<refsection><info><title>EXAMPLE</title></info>
-
+
<para>
To generate a 768-bit DSA key for the domain
<userinput>example.com</userinput>, the following command would be
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>dnssec-revoke</command>
reads a DNSSEC key file, sets the REVOKED bit on the key as defined
in RFC 5011, and creates a new pair of key files containing the
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
</para>
</listitem>
</varlistentry>
-
+
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>dnssec-settime</command>
reads a DNSSEC private key file and sets the key timing metadata
as specified by the <option>-P</option>, <option>-A</option>,
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
fail when attempting to update a legacy key. With this option,
the key will be recreated in the new format, but with the
original key data retained. The key's creation date will be
- set to the present time. If no other values are specified,
- then the key's publication and activation dates will also
+ set to the present time. If no other values are specified,
+ then the key's publication and activation dates will also
be set to the present time.
</para>
</listitem>
</varlistentry>
-
+
<varlistentry>
<term>-K <replaceable class="parameter">directory</replaceable></term>
<listitem>
</para>
</listitem>
</varlistentry>
-
+
<varlistentry>
<term>-V</term>
<listitem>
</refsection>
<refsection><info><title>TIMING OPTIONS</title></info>
-
+
<para>
Dates can be expressed in the format YYYYMMDD or YYYYMMDDHHMMSS.
If the argument begins with a '+' or '-', it is interpreted as
</para>
<para>
If the key is being set to be an explicit successor to another
- key, then the default prepublication interval is 30 days;
+ key, then the default prepublication interval is 30 days;
otherwise it is zero.
</para>
<para>
</refsection>
<refsection><info><title>PRINTING OPTIONS</title></info>
-
+
<para>
<command>dnssec-settime</command> can also be used to print the
timing metadata associated with a key.
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>dnssec-signzone</command>
signs a zone. It generates
NSEC and RRSIG records and produces a signed version of the
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
(<option>-S</option>) is used, DNSKEY records are also
included. The resulting file can be included in the original
zone file with <command>$INCLUDE</command>. This option
- cannot be combined with <option>-O raw</option>,
+ cannot be combined with <option>-O raw</option>,
<option>-O map</option>, or serial number updating.
</para>
</listitem>
<para>
Normally, when a previously-signed zone is passed as input
to the signer, and a DNSKEY record has been removed and
- replaced with a new one, signatures from the old key
+ replaced with a new one, signatures from the old key
that are still within their validity period are retained.
This allows the zone to continue to validate with cached
copies of the old DNSKEY RRset. The <option>-Q</option>
<para>
If the key's activation date is set and in the past, the
key is published (regardless of publication date) and
- used to sign the zone.
+ used to sign the zone.
</para>
</listitem>
</varlistentry>
</refsection>
<refsection><info><title>EXAMPLE</title></info>
-
+
<para>
The following command signs the <userinput>example.com</userinput>
zone with the DSA key generated by <command>dnssec-keygen</command>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>dnssec-keygen</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>dnssec-verify</command>
verifies that a zone is fully signed for each algorithm found
in the DNSKEY RRset for the zone, and that the NSEC / NSEC3
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para>
<citerefentry>
<refentrytitle>dnssec-signzone</refentrytitle><manvolnum>8</manvolnum>
function loadGraphs(){
var g;
-
+
while(g = graphs.shift()){
// alert("going for: " + g.target);
if(g.data.length > 1){
}
<xsl:if test="server/counters[@type="qtype"]/counter">
- // Server Incoming Query Types
+ // Server Incoming Query Types
graphs.push({
'title' : "Server Incoming Query Types",
'target': 'chart_incoming_qtypes',
'data': [['Type','Counter'],<xsl:for-each select="server/counters[@type="qtype"]/counter">['<xsl:value-of select="@name"/>',<xsl:value-of select="."/>],</xsl:for-each>]
});
</xsl:if>
-
+
<xsl:if test="server/counters[@type="opcode"]/counter">
// Server Incoming Requests by opcode
graphs.push({
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>lwresd</command>
is the daemon providing name lookup
resolver protocol rather than the DNS protocol.
</para>
- <para><command>lwresd</command>
+ <para><command>lwresd</command>
listens for resolver queries on a
UDP port on the IPv4 loopback interface, 127.0.0.1. This
means that <command>lwresd</command> can only be used by
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<replaceable class="parameter">trace</replaceable>,
<replaceable class="parameter">record</replaceable>,
<replaceable class="parameter">size</replaceable>, and
- <replaceable class="parameter">mctx</replaceable>.
+ <replaceable class="parameter">mctx</replaceable>.
These correspond to the ISC_MEM_DEBUGXXXX flags described in
<filename><isc/mem.h></filename>.
</para>
</refsection>
<refsection><info><title>FILES</title></info>
-
+
<variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><filename>named.conf</filename> is the configuration file
for
<command>named</command>. Statements are enclosed
</refsection>
<refsection><info><title>ACL</title></info>
-
+
<literallayout class="normal">
acl <replaceable>string</replaceable> { <replaceable>address_match_element</replaceable>; ... };
</refsection>
<refsection><info><title>KEY</title></info>
-
+
<literallayout class="normal">
key <replaceable>domain_name</replaceable> {
algorithm <replaceable>string</replaceable>;
</refsection>
<refsection><info><title>MASTERS</title></info>
-
+
<literallayout class="normal">
masters <replaceable>string</replaceable> <optional> port <replaceable>integer</replaceable> </optional> {
( <replaceable>masters</replaceable> | <replaceable>ipv4_address</replaceable> <optional>port <replaceable>integer</replaceable></optional> |
</refsection>
<refsection><info><title>SERVER</title></info>
-
+
<literallayout class="normal">
server ( <replaceable>ipv4_address<optional>/prefixlen</optional></replaceable> | <replaceable>ipv6_address<optional>/prefixlen</optional></replaceable> ) {
bogus <replaceable>boolean</replaceable>;
</refsection>
<refsection><info><title>TRUSTED-KEYS</title></info>
-
+
<literallayout class="normal">
trusted-keys {
<replaceable>domain_name</replaceable> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
</refsection>
<refsection><info><title>MANAGED-KEYS</title></info>
-
+
<literallayout class="normal">
managed-keys {
<replaceable>domain_name</replaceable> <constant>initial-key</constant> <replaceable>flags</replaceable> <replaceable>protocol</replaceable> <replaceable>algorithm</replaceable> <replaceable>key</replaceable>; ...
</refsection>
<refsection><info><title>CONTROLS</title></info>
-
+
<literallayout class="normal">
controls {
inet ( <replaceable>ipv4_address</replaceable> | <replaceable>ipv6_address</replaceable> | * )
</refsection>
<refsection><info><title>LOGGING</title></info>
-
+
<literallayout class="normal">
logging {
channel <replaceable>string</replaceable> {
</refsection>
<refsection><info><title>LWRES</title></info>
-
+
<literallayout class="normal">
lwres {
listen-on <optional> port <replaceable>integer</replaceable> </optional> {
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<literallayout class="normal">
options {
avoid-v4-udp-ports { <replaceable>port</replaceable>; ... };
</refsection>
<refsection><info><title>VIEW</title></info>
-
+
<literallayout class="normal">
view <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
match-clients { <replaceable>address_match_element</replaceable>; ... };
</refsection>
<refsection><info><title>ZONE</title></info>
-
+
<literallayout class="normal">
zone <replaceable>string</replaceable> <replaceable>optional_class</replaceable> {
type ( master | slave | stub | hint | redirect |
</refsection>
<refsection><info><title>FILES</title></info>
-
+
<para><filename>/etc/named.conf</filename>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>named</command>
is a Domain Name System (DNS) server,
part of the BIND 9 distribution from ISC. For more
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
</refsection>
<refsection><info><title>SIGNALS</title></info>
-
+
<para>
In routine operation, signals should not be used to control
the nameserver; <command>rndc</command> should be used
</refsection>
<refsection><info><title>CONFIGURATION</title></info>
-
+
<para>
The <command>named</command> configuration file is too complex
to describe in detail here. A complete description is provided
</refsection>
<refsection><info><title>FILES</title></info>
-
+
<variablelist>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citetitle>RFC 1033</citetitle>,
<citetitle>RFC 1034</citetitle>,
<citetitle>RFC 1035</citetitle>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>nsupdate</command>
is used to submit Dynamic DNS Update requests as defined in RFC 2136
to a name server.
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
</refsection>
<refsection><info><title>INPUT FORMAT</title></info>
-
+
<para><command>nsupdate</command>
reads input from
<parameter>filename</parameter>
</refsection>
<refsection><info><title>EXAMPLES</title></info>
-
+
<para>
The examples below show how
<command>nsupdate</command>
</refsection>
<refsection><info><title>FILES</title></info>
-
+
<variablelist>
<varlistentry>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para>
<citetitle>RFC 2136</citetitle>,
<citetitle>RFC 3007</citetitle>,
</refsection>
<refsection><info><title>BUGS</title></info>
-
+
<para>
The TSIG key is redundantly stored in two separate files.
This is a consequence of nsupdate using the DST library
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
<command>pkcs11-destroy</command> destroys keys stored in a
PKCS#11 device, identified by their <option>ID</option> or
</refsection>
<refsection><info><title>ARGUMENTS</title></info>
-
+
<variablelist>
<varlistentry>
<term>-m <replaceable class="parameter">module</replaceable></term>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para>
<citerefentry>
<refentrytitle>pkcs11-keygen</refentrytitle><manvolnum>8</manvolnum>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
<command>pkcs11-keygen</command> causes a PKCS#11 device to generate
a new key pair with the given <option>label</option> (which must be
</refsection>
<refsection><info><title>ARGUMENTS</title></info>
-
+
<variablelist>
<varlistentry>
<term>-a <replaceable class="parameter">algorithm</replaceable></term>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para>
<citerefentry>
<refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>8</manvolnum>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
<command>pkcs11-list</command>
lists the PKCS#11 objects with <option>ID</option> or
</refsection>
<refsection><info><title>ARGUMENTS</title></info>
-
+
<variablelist>
<varlistentry>
<term>-P</term>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para>
<citerefentry>
<refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>8</manvolnum>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
<command>pkcs11-tokens</command>
lists the PKCS#11 available tokens with defaults from the slot/token
</refsection>
<refsection><info><title>ARGUMENTS</title></info>
-
+
<variablelist>
<varlistentry>
<term>-m <replaceable class="parameter">module</replaceable></term>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para>
<citerefentry>
<refentrytitle>pkcs11-destroy</refentrytitle><manvolnum>8</manvolnum>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>dnssec-checkds</command>
verifies the correctness of Delegation Signer (DS) or DNSSEC
Lookaside Validation (DLV) resource records for keys in a specified
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
<term>-l <replaceable class="parameter">domain</replaceable></term>
<listitem>
<para>
- Check for a DLV record in the specified lookaside domain,
+ Check for a DLV record in the specified lookaside domain,
instead of checking for a DS record in the zone's parent.
For example, to check for DLV records for "example.com"
in ISC's DLV zone, use:
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>dnssec-dsfromkey</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>dnssec-coverage</command>
verifies that the DNSSEC keys for a given zone or a set of zones
have timing metadata set properly to ensure no future lapses in DNSSEC
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
<para>
The length of time to check for DNSSEC coverage. Key events
scheduled further into the future than <option>duration</option>
- will be ignored, and assumed to be correct.
+ will be ignored, and assumed to be correct.
</para>
<para>
The value of <option>duration</option> can be set in seconds,
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para>
<citerefentry>
<refentrytitle>dnssec-checkds</refentrytitle><manvolnum>8</manvolnum>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><filename>rndc.conf</filename> is the configuration file
for <command>rndc</command>, the BIND 9 name server control
utility. This file has a similar structure and syntax to
</refsection>
<refsection><info><title>EXAMPLE</title></info>
-
+
<para><programlisting>
options {
</refsection>
<refsection><info><title>NAME SERVER CONFIGURATION</title></info>
-
+
<para>
The name server must be configured to accept rndc connections and
to recognize the key specified in the <filename>rndc.conf</filename>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>rndc</refentrytitle><manvolnum>8</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>rndc</command>
controls the operation of a name
server. It supersedes the <command>ndc</command> utility
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
</refsection>
<refsection><info><title>COMMANDS</title></info>
-
+
<para>
A list of commands supported by <command>rndc</command> can
be seen by running <command>rndc</command> without arguments.
operations (such as signing or generating
NSEC3 chains) is stored in the zone in the form
of DNS resource records of type
- <command>sig-signing-type</command>.
+ <command>sig-signing-type</command>.
<command>rndc signing -list</command> converts
these records into a human-readable form,
indicating which keys are currently signing
flags, iterations, and salt, in that order.
</para>
<para>
- Currently, the only defined value for hash algorithm
+ Currently, the only defined value for hash algorithm
is <literal>1</literal>, representing SHA-1.
The <option>flags</option> may be set to
<literal>0</literal> or <literal>1</literal>,
</refsection>
<refsection><info><title>LIMITATIONS</title></info>
-
+
<para>
There is currently no way to provide the shared secret for a
<option>key_id</option> without using the configuration file.
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>rndc.conf</refentrytitle><manvolnum>5</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
<command>arpaname</command> translates IP addresses (IPv4 and
IPv6) to the corresponding IN-ADDR.ARPA or IP6.ARPA names.
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para>
<citetitle>BIND 9 Administrator Reference Manual</citetitle>.
</para>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
<command>dnstap-read</command>
reads <command>dnstap</command> data from a specified file
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
<varlistentry>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para>
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
<command>genrandom</command>
generates a file or a set of files containing a specified quantity
</refsection>
<refsection><info><title>ARGUMENTS</title></info>
-
+
<variablelist>
<varlistentry>
<term>-n <replaceable class="parameter">number</replaceable></term>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para>
<citerefentry>
<refentrytitle>rand</refentrytitle><manvolnum>3</manvolnum>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
Versions of BIND 9 up to and including BIND 9.6 had a bug causing
HMAC-SHA* TSIG keys which were longer than the digest length of the
</refsection>
<refsection><info><title>SECURITY CONSIDERATIONS</title></info>
-
+
<para>
Secrets that have been converted by <command>isc-hmac-fixup</command>
are shortened, but as this is how the HMAC protocol works in
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para>
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 2104</citetitle>.
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>mdig</command>
is a multiple/pipelined query version of <command>dig</command>:
instead of waiting for a response after sending each query,
</refsection>
<refsection><info><title>ANYWHERE OPTIONS</title></info>
-
+
<para>
The <option>-f</option> option makes <command>mdig</command>
</refsection>
<refsection><info><title>GLOBAL OPTIONS</title></info>
-
+
<para>
The <option>-4</option> option forces <command>mdig</command> to
</refsection>
<refsection><info><title>LOCAL OPTIONS</title></info>
-
+
<para>
The <option>-c</option> option sets the query class to
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>dig</refentrytitle><manvolnum>1</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
<command>named-journalprint</command>
prints the contents of a zone journal file in a human-readable
- form.
+ form.
</para>
<para>
- Journal files are automatically created by <command>named</command>
+ Journal files are automatically created by <command>named</command>
when changes are made to dynamic zones (e.g., by
<command>nsupdate</command>). They record each addition
or deletion of a resource record, in binary format, allowing the
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para>
<citerefentry>
<refentrytitle>named</refentrytitle><manvolnum>8</manvolnum>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>named-rrchecker</command>
read a individual DNS resource record from standard input and checks if it
is syntactically correct.
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para>
<citetitle>RFC 1034</citetitle>,
<citetitle>RFC 1035</citetitle>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
<command>nsec3hash</command> generates an NSEC3 hash based on
a set of NSEC3 parameters. This can be used to check the validity
</refsection>
<refsection><info><title>ARGUMENTS</title></info>
-
+
<variablelist>
<varlistentry>
<term>salt</term>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para>
<citetitle>BIND 9 Administrator Reference Manual</citetitle>,
<citetitle>RFC 5155</citetitle>.
<para>
TSIG keys can be generated using the <command>tsig-keygen</command>
command; the output of the command is a <command>key</command> directive
- suitable for inclusion in <filename>named.conf</filename>. The
+ suitable for inclusion in <filename>named.conf</filename>. The
key name, algorithm and size can be specified by command line parameters;
the defaults are "tsig-key", HMAC-SHA256, and 256 bits, respectively.
</para>
signed using the specified key. Keys may also be specified
in the <command>also-notify</command> statement of a master
or slave zone, causing NOTIFY messages to be signed using
- the specified key.
+ the specified key.
</para>
<para>
Keys can also be specified in a <command>server</command>
<para>
The TKEY process is initiated by a client or server by sending
a query of type TKEY to a TKEY-aware server. The query must include
- an appropriate KEY record in the additional section, and
+ an appropriate KEY record in the additional section, and
must be signed using either TSIG or SIG(0) with a previously
established key. The server's response, if successful, will
contain a TKEY record in its answer section. After this transaction,
event payloads which are encoded using Protocol Buffers
(<command>libprotobuf-c</command>, a mechanism for
serializing structured data developed
- by Google, Inc.; see
+ by Google, Inc.; see
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="https://developers.google.com/protocol-buffers/">https://developers.google.com/protocol-buffers</link>).
</para>
<para>
- To enable <command>dnstap</command> at compile time,
+ To enable <command>dnstap</command> at compile time,
the <command>fstrm</command> and <command>protobuf-c</command>
libraries must be available, and BIND must be configured with
<option>--enable-dnstap</option>.
<!-- Converted by db4-upgrade version 1.0 -->
<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dlz-info"><info><title>DLZ (Dynamically Loadable Zones)</title></info>
-
+
<para>
DLZ (Dynamically Loadable Zones) is an extension to BIND 9 that allows
zone data to be retrieved directly from an external database. There is
</para>
<section><info><title>Configuring DLZ</title></info>
-
+
<para>
A DLZ database is configured with a <command>dlz</command>
statement in <filename>named.conf</filename>:
</screen>
</section>
<section><info><title>Sample DLZ Driver</title></info>
-
+
<para>
For guidance in implementation of DLZ modules, the directory
<filename>contrib/dlz/example</filename> contains a basic
<!-- Converted by db4-upgrade version 1.0 -->
<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dnssec.dynamic.zones"><info><title>DNSSEC, Dynamic Zones, and Automatic Signing</title></info>
-
+
<para>As of BIND 9.7.0 it is possible to change a dynamic zone
from insecure to signed and back again. A secure zone can use
either NSEC or NSEC3 chains.</para>
<section><info><title>Converting from insecure to secure</title></info>
-
+
</section>
<para>Changing a zone from insecure to secure can be done in two
- ways: using a dynamic DNS update, or the
+ ways: using a dynamic DNS update, or the
<command>auto-dnssec</command> zone option.</para>
- <para>For either method, you need to configure
- <command>named</command> so that it can see the
+ <para>For either method, you need to configure
+ <command>named</command> so that it can see the
<filename>K*</filename> files which contain the public and private
parts of the keys that will be used to sign the zone. These files
- will have been generated by
+ will have been generated by
<command>dnssec-keygen</command>. You can do this by placing them
- in the key-directory, as specified in
+ in the key-directory, as specified in
<filename>named.conf</filename>:</para>
<programlisting>
zone example.net {
well. An NSEC chain will be generated as part of the initial
signing process.</para>
<section><info><title>Dynamic DNS update method</title></info>
-
+
</section>
<para>To insert the keys via dynamic update:</para>
<screen>
> send
</screen>
<para>While the update request will complete almost immediately,
- the zone will not be completely signed until
+ the zone will not be completely signed until
<command>named</command> has had time to walk the zone and
generate the NSEC and RRSIG records. The NSEC record at the apex
will be added last, to signal that there is a complete NSEC
> send
</screen>
<para>Again, this update request will complete almost
- immediately; however, the record won't show up until
+ immediately; however, the record won't show up until
<command>named</command> has had a chance to build/remove the
relevant chain. A private type record will be created to record
the state of the operation (see below for more details), and will
<para>While the initial signing and NSEC/NSEC3 chain generation
is happening, other updates are possible as well.</para>
<section><info><title>Fully automatic zone signing</title></info>
-
+
</section>
- <para>To enable automatic signing, add the
- <command>auto-dnssec</command> option to the zone statement in
- <filename>named.conf</filename>.
- <command>auto-dnssec</command> has two possible arguments:
- <constant>allow</constant> or
+ <para>To enable automatic signing, add the
+ <command>auto-dnssec</command> option to the zone statement in
+ <filename>named.conf</filename>.
+ <command>auto-dnssec</command> has two possible arguments:
+ <constant>allow</constant> or
<constant>maintain</constant>.</para>
- <para>With
- <command>auto-dnssec allow</command>,
+ <para>With
+ <command>auto-dnssec allow</command>,
<command>named</command> can search the key directory for keys
matching the zone, insert them into the zone, and use them to
- sign the zone. It will do so only when it receives an
+ sign the zone. It will do so only when it receives an
<command>rndc sign <zonename></command>.</para>
<para>
<!-- TODO: this is repeated in the ARM -->
functionality, but will also automatically adjust the zone's
DNSKEY records on schedule according to the keys' timing metadata.
(See <xref linkend="man.dnssec-keygen"/> and
- <xref linkend="man.dnssec-settime"/> for more information.)
+ <xref linkend="man.dnssec-settime"/> for more information.)
</para>
<para>
<command>named</command> will periodically search the key directory
</para>
<para>
If keys are present in the key directory the first time the zone
- is loaded, the zone will be signed immediately, without waiting for an
+ is loaded, the zone will be signed immediately, without waiting for an
<command>rndc sign</command> or <command>rndc loadkeys</command>
command. (Those commands can still be used when there are unscheduled
key changes, however.)
the zone is signed and the NSEC3 chain is completed, the NSEC3PARAM
record will appear in the zone.
</para>
- <para>Using the
+ <para>Using the
<command>auto-dnssec</command> option requires the zone to be
- configured to allow dynamic updates, by adding an
- <command>allow-update</command> or
+ configured to allow dynamic updates, by adding an
+ <command>allow-update</command> or
<command>update-policy</command> statement to the zone
configuration. If this has not been done, the configuration will
fail.</para>
<section><info><title>Private-type records</title></info>
-
+
</section>
<para>The state of the signing process is signaled by
private-type records (with a default type value of 65534). When
</literallayout>
</para>
<section><info><title>DNSKEY rollovers</title></info>
-
+
</section>
<para>As with insecure-to-secure conversions, rolling DNSSEC
- keys can be done in two ways: using a dynamic DNS update, or the
+ keys can be done in two ways: using a dynamic DNS update, or the
<command>auto-dnssec</command> zone option.</para>
<section><info><title>Dynamic DNS update method</title></info>
-
+
</section>
<para> To perform key rollovers via dynamic update, you need to add
- the <filename>K*</filename> files for the new keys so that
+ the <filename>K*</filename> files for the new keys so that
<command>named</command> can find them. You can then add the new
- DNSKEY RRs via dynamic update.
+ DNSKEY RRs via dynamic update.
<command>named</command> will then cause the zone to be signed
with the new keys. When the signing is complete the private type
records will be updated so that the last octet is non
be able to verify at least one signature when you remove the old
DNSKEY.</para>
<para>The old DNSKEY can be removed via UPDATE. Take care to
- specify the correct key.
+ specify the correct key.
<command>named</command> will clean out any signatures generated
by the old key after the update completes.</para>
<section><info><title>Automatic key rollovers</title></info>
-
+
</section>
<para>When a new key reaches its activation date (as set by
<command>dnssec-keygen</command> or <command>dnssec-settime</command>),
- if the <command>auto-dnssec</command> zone option is set to
+ if the <command>auto-dnssec</command> zone option is set to
<constant>maintain</constant>, <command>named</command> will
automatically carry out the key rollover. If the key's algorithm
has not previously been used to sign the zone, then the zone will
completes in 30 days, after which it will be safe to remove the
old key from the DNSKEY RRset.</para>
<section><info><title>NSEC3PARAM rollovers via UPDATE</title></info>
-
+
</section>
<para>Add the new NSEC3PARAM record via dynamic update. When the
new NSEC3 chain has been generated, the NSEC3PARAM flag field
record. The old chain will be removed after the update request
completes.</para>
<section><info><title>Converting from NSEC to NSEC3</title></info>
-
+
</section>
<para>To do this, you just need to add an NSEC3PARAM record. When
the conversion is complete, the NSEC chain will have been removed
chain will be generated before the NSEC chain is
destroyed.</para>
<section><info><title>Converting from NSEC3 to NSEC</title></info>
-
+
</section>
<para>To do this, use <command>nsupdate</command> to
remove all NSEC3PARAM records with a zero flag
field. The NSEC chain will be generated before the NSEC3 chain is
removed.</para>
<section><info><title>Converting from secure to insecure</title></info>
-
+
</section>
<para>To convert a signed zone to unsigned using dynamic DNS,
delete all the DNSKEY records from the zone apex using
<command>nsupdate</command>. All signatures, NSEC or NSEC3 chains,
and associated NSEC3PARAM records will be removed automatically.
This will take place after the update request completes.</para>
- <para> This requires the
- <command>dnssec-secure-to-insecure</command> option to be set to
- <userinput>yes</userinput> in
+ <para> This requires the
+ <command>dnssec-secure-to-insecure</command> option to be set to
+ <userinput>yes</userinput> in
<filename>named.conf</filename>.</para>
<para>In addition, if the <command>auto-dnssec maintain</command>
zone statement is used, it should be removed or changed to
<command>allow</command> instead (or it will re-sign).
</para>
<section><info><title>Periodic re-signing</title></info>
-
+
</section>
<para>In any secure zone which supports dynamic updates, <command>named</command>
will periodically re-sign RRsets which have not been re-signed as
adjusted so as to spread the re-sign load over time rather than
all at once.</para>
<section><info><title>NSEC3 and OPTOUT</title></info>
-
+
</section>
<para>
<command>named</command> only supports creating new NSEC3 chains
where all the NSEC3 records in the zone have the same OPTOUT
- state.
+ state.
<command>named</command> supports UPDATES to zones where the NSEC3
- records in the chain have mixed OPTOUT state.
+ records in the chain have mixed OPTOUT state.
<command>named</command> does not support changing the OPTOUT
state of an individual NSEC3 record, the entire chain needs to be
changed if the OPTOUT state of an individual NSEC3 needs to be
<!-- Converted by db4-upgrade version 1.0 -->
<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="dyndb-info"><info><title>DynDB (Dynamic Database)</title></info>
-
+
<para>
DynDB is an extension to BIND 9 which, like DLZ
(see <xref linkend="dlz-info"/>), allows zone data to be
</para>
<section><info><title>Configuring DynDB</title></info>
-
+
<para>
A DynDB database is configured with a <command>dyndb</command>
statement in <filename>named.conf</filename>:
</para>
</section>
<section><info><title>Sample DynDB Module</title></info>
-
+
<para>
For guidance in implementation of DynDB modules, the directory
<filename>bin/tests/system/dyndb/driver</filename>.
<!-- Converted by db4-upgrade version 1.0 -->
<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="bind9.library"><info><title>BIND 9 DNS Library Support</title></info>
-
+
<para>This version of BIND 9 "exports" its internal libraries so
that they can be used by third-party applications more easily (we
call them "export" libraries in this document). In addition to
</listitem>
</itemizedlist>
<section><info><title>Prerequisite</title></info>
-
+
<para>GNU make is required to build the export libraries (other
part of BIND 9 can still be built with other types of make). In
the reminder of this document, "make" means GNU make. Note that
than "make" (e.g. "gmake") to indicate it's GNU make.</para>
</section>
<section><info><title>Compilation</title></info>
-
+
<screen>
$ <userinput>./configure --enable-exportlib <replaceable>[other flags]</replaceable></userinput>
$ <userinput>make</userinput>
lib/export/samples directory (see below).</para>
</section>
<section><info><title>Installation</title></info>
-
+
<screen>
$ <userinput>cd lib/export</userinput>
$ <userinput>make install</userinput>
<filename>lib/export/samples/Makefile-postinstall.in</filename>.</para>
</section>
<section><info><title>Known Defects/Restrictions</title></info>
-
+
<itemizedlist>
<listitem>
<!-- TODO: what about AIX? -->
</itemizedlist>
</section>
<section><info><title>The dns.conf File</title></info>
-
+
<para>The IRS library supports an "advanced" configuration file
related to the DNS library for configuration parameters that
would be beyond the capability of the
<xref linkend="trusted-keys"/> for details.)</para>
</section>
<section><info><title>Sample Applications</title></info>
-
+
<para>Some sample application programs using this API are
provided for reference. The following is a brief description of
these applications.
</para>
<section><info><title>sample: a simple stub resolver utility</title></info>
-
+
<para>
It sends a query of a given name (of a given optional RR type) to a
specified recursive server, and prints the result as a list of
</variablelist>
</section>
<section><info><title>sample-async: a simple stub resolver, working asynchronously</title></info>
-
+
<para>
Similar to "sample", but accepts a list
of (query) domain names as a separate file and resolves the names
</variablelist>
</section>
<section><info><title>sample-request: a simple DNS transaction client</title></info>
-
+
<para>
It sends a query to a specified server, and
prints the response with minimal processing. It doesn't act as a
</variablelist>
</section>
<section><info><title>sample-gai: getaddrinfo() and getnameinfo() test code</title></info>
-
+
<para>
This is a test program
to check getaddrinfo() and getnameinfo() behavior. It takes a
</para>
</section>
<section><info><title>sample-update: a simple dynamic update client program</title></info>
-
+
<para>
It accepts a single update command as a
command-line argument, sends an update request message to the
<para>
removes all A RRs for foo.dynamic.example.com using the given key.
</para>
- <screen>
+ <screen>
$ <userinput>sample-update -a sample-update -k Kxxx.+nnn+mmmm.key delete "foo.dynamic.example.com"</userinput></screen>
<para>
removes all RRs for foo.dynamic.example.com using the given key.
</para>
</section>
<section><info><title>nsprobe: domain/name server checker in terms of RFC 4074</title></info>
-
+
<para>
It checks a set
of domains to see the name servers of the domains behave
</section>
</section>
<section><info><title>Library References</title></info>
-
+
<para>As of this writing, there is no formal "manual" of the
libraries, except this document, header files (some of them
provide pretty detailed explanations), and sample application
<!-- Converted by db4-upgrade version 1.0 -->
<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="rfc5011.support"><info><title>Dynamic Trust Anchor Management</title></info>
-
+
<para>BIND 9.7.0 introduces support for RFC 5011, dynamic trust
- anchor management. Using this feature allows
+ anchor management. Using this feature allows
<command>named</command> to keep track of changes to critical
DNSSEC keys without any need for the operator to make changes to
configuration files.</para>
<section><info><title>Validating Resolver</title></info>
-
+
<!-- TODO: command tag is overloaded for configuration and executables -->
<para>To configure a validating resolver to use RFC 5011 to
- maintain a trust anchor, configure the trust anchor using a
+ maintain a trust anchor, configure the trust anchor using a
<command>managed-keys</command> statement. Information about
- this can be found in
+ this can be found in
<xref linkend="managed-keys"/>.</para>
<!-- TODO: managed-keys examples
also in DNSSEC section above here in ARM -->
</section>
<section><info><title>Authoritative Server</title></info>
-
+
<para>To set up an authoritative zone for RFC 5011 trust anchor
maintenance, generate two (or more) key signing keys (KSKs) for
the zone. Sign the zone with one of them; this is the "active"
timer has completed, the active KSK can be revoked, and the
zone can be "rolled over" to the newly accepted key.</para>
<para>The easiest way to place a stand-by key in a zone is to
- use the "smart signing" features of
- <command>dnssec-keygen</command> and
+ use the "smart signing" features of
+ <command>dnssec-keygen</command> and
<command>dnssec-signzone</command>. If a key with a publication
date in the past, but an activation date which is unset or in
- the future, "
+ the future, "
<command>dnssec-signzone -S</command>" will include the DNSKEY
record in the zone, but will not sign with it:</para>
<screen>
$ <userinput>dnssec-keygen -K keys -f KSK -P now -A now+2y example.net</userinput>
$ <userinput>dnssec-signzone -S -K keys example.net</userinput>
</screen>
- <para>To revoke a key, the new command
+ <para>To revoke a key, the new command
<command>dnssec-revoke</command> has been added. This adds the
- REVOKED bit to the key flags and re-generates the
- <filename>K*.key</filename> and
+ REVOKED bit to the key flags and re-generates the
+ <filename>K*.key</filename> and
<filename>K*.private</filename> files.</para>
<para>After revoking the active key, the zone must be signed
with both the revoked KSK and the new active KSK. (Smart
"<filename>Kexample.com.+005+10128</filename>".</para>
<para>If two keys have IDs exactly 128 apart, and one is
revoked, then the two key IDs will collide, causing several
- problems. To prevent this,
+ problems. To prevent this,
<command>dnssec-keygen</command> will not generate a new key if
another key is present which may collide. This checking will
only occur if the new keys are written to the same directory
<!-- Converted by db4-upgrade version 1.0 -->
<article xmlns="http://docbook.org/ns/docbook" version="5.0"><info><title/></info>
-
+
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="notes.xml"/>
</article>
<section xmlns="http://docbook.org/ns/docbook" version="5.0"><info/>
<xi:include xmlns:xi="http://www.w3.org/2001/XInclude" href="noteversion.xml"/>
<section xml:id="relnotes_intro"><info><title>Introduction</title></info>
-
+
<para>
This document summarizes changes since the last production release
of BIND on the corresponding major release branch.
</para>
</section>
<section xml:id="relnotes_download"><info><title>Download</title></info>
-
+
<para>
The latest versions of BIND 9 software can always be found at
<link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="http://www.isc.org/downloads/">http://www.isc.org/downloads/</link>.
</para>
</section>
<section xml:id="relnotes_security"><info><title>Security Fixes</title></info>
-
+
<itemizedlist>
<listitem>
<para>
</itemizedlist>
</section>
<section xml:id="relnotes_features"><info><title>New Features</title></info>
-
+
<itemizedlist>
<listitem>
<para>
whose assistance is gratefully acknowledged.
</para>
<para>
- To enable <command>dnstap</command> at compile time,
+ To enable <command>dnstap</command> at compile time,
the <command>fstrm</command> and <command>protobuf-c</command>
libraries must be available, and BIND must be configured with
<option>--enable-dnstap</option>.
</itemizedlist>
</section>
<section xml:id="relnotes_changes"><info><title>Feature Changes</title></info>
-
+
<itemizedlist>
<listitem>
<para>
</itemizedlist>
</section>
<section xml:id="relnotes_port"><info><title>Porting Changes</title></info>
-
+
<itemizedlist>
<listitem>
<para>
</itemizedlist>
</section>
<section xml:id="relnotes_bugs"><info><title>Bug Fixes</title></info>
-
+
<itemizedlist>
<listitem>
<para>
</itemizedlist>
</section>
<section xml:id="end_of_life"><info><title>End of Life</title></info>
-
+
<para>
The end of life for BIND 9.11 is yet to be determined but
will not be before BIND 9.13.0 has been released for 6 months.
</para>
</section>
<section xml:id="relnotes_thanks"><info><title>Thank You</title></info>
-
+
<para>
Thank you to everyone who assisted us in making this release possible.
If you would like to contribute to ISC to assist us in continuing to
<!-- Converted by db4-upgrade version 1.0 -->
<section xmlns="http://docbook.org/ns/docbook" version="5.0" xml:id="pkcs11"><info><title>PKCS#11 (Cryptoki) support</title></info>
-
+
<para>
PKCS#11 (Public Key Cryptography Standard #11) defines a
platform-independent API for the control of hardware security
the PKCS#11 API to drive the HSM directly.
</para>
<section><info><title>Prerequisites</title></info>
-
+
<para>
See the documentation provided by your HSM vendor for
information about installing, initializing, testing and
</para>
</section>
<section><info><title>Native PKCS#11</title></info>
-
+
<para>
Native PKCS#11 mode will only work with an HSM capable of carrying
out <emphasis>every</emphasis> cryptographic operation BIND 9 may
the <command>pkcs11-*</command> tools.)
</para>
<section><info><title>Building SoftHSMv2</title></info>
-
+
<para>
SoftHSMv2, the latest development version of SoftHSM, is available
from
</section>
</section>
<section><info><title>OpenSSL-based PKCS#11</title></info>
-
+
<para>
OpenSSL-based PKCS#11 mode uses a modified version of the
OpenSSL library; stock OpenSSL does not fully support PKCS#11.
it with the path to your HSM's PKCS#11 provider library.
</para>
<section><info><title>Patching OpenSSL</title></info>
-
+
<screen>
$ <userinput>wget <link xmlns:xlink="http://www.w3.org/1999/xlink" xlink:href="">http://www.openssl.org/source/openssl-0.9.8zc.tar.gz</link></userinput>
</screen>
</section>
<section><info><title>Building OpenSSL for the AEP Keyper on Linux</title></info>
<!-- Example 1 -->
-
+
<para>
The AEP Keyper is a highly secure key storage device,
but does not provide hardware cryptographic acceleration. It
</section>
<section><info><title>Building OpenSSL for the SCA 6000 on Solaris</title></info>
<!-- Example 2 -->
-
+
<para>
The SCA-6000 PKCS#11 provider is installed as a system
library, libpkcs11. It is a true crypto accelerator, up to 4
(For a 32-bit build, use "solaris-x86-cc" and /usr/lib/libpkcs11.so.)
</para>
<para>
- After configuring, run
- <command>make</command> and
+ After configuring, run
+ <command>make</command> and
<command>make test</command>.
</para>
</section>
<section><info><title>Building OpenSSL for SoftHSM</title></info>
<!-- Example 3 -->
-
+
<para>
SoftHSM (version 1) is a software library developed by the
OpenDNSSEC project
</para>
<section><info><title>Configuring BIND 9 for Linux with the AEP Keyper</title></info>
<!-- Example 4 -->
-
+
<para>
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
</section>
<section><info><title>Configuring BIND 9 for Solaris with the SCA 6000</title></info>
<!-- Example 5 -->
-
+
<para>
To link with the PKCS#11 provider, threads must be
enabled in the BIND 9 build.
</section>
<section><info><title>Configuring BIND 9 for SoftHSM</title></info>
<!-- Example 6 -->
-
+
<screen>
$ <userinput>cd ../bind9</userinput>
$ <userinput>./configure --enable-threads \
</para>
</section>
<section><info><title>PKCS#11 Tools</title></info>
-
+
<para>
BIND 9 includes a minimal set of tools to operate the
- HSM, including
+ HSM, including
<command>pkcs11-keygen</command> to generate a new key pair
- within the HSM,
+ within the HSM,
<command>pkcs11-list</command> to list objects currently
available,
<command>pkcs11-destroy</command> to remove objects, and
</para>
</section>
<section><info><title>Using the HSM</title></info>
-
+
<para>
For OpenSSL-based PKCS#11, we must first set up the runtime
environment so the OpenSSL and PKCS#11 libraries can be loaded:
For example, when operating an AEP Keyper, it is necessary to
specify the location of the "machine" file, which stores
information about the Keyper for use by the provider
- library. If the machine file is in
+ library. If the machine file is in
<filename>/opt/Keyper/PKCS11Provider/machine</filename>,
use:
</para>
</screen>
<para>
Such environment variables must be set whenever running
- any tool that uses the HSM, including
- <command>pkcs11-keygen</command>,
- <command>pkcs11-list</command>,
- <command>pkcs11-destroy</command>,
- <command>dnssec-keyfromlabel</command>,
- <command>dnssec-signzone</command>,
+ any tool that uses the HSM, including
+ <command>pkcs11-keygen</command>,
+ <command>pkcs11-list</command>,
+ <command>pkcs11-destroy</command>,
+ <command>dnssec-keyfromlabel</command>,
+ <command>dnssec-signzone</command>,
<command>dnssec-keygen</command>, and
<command>named</command>.
</para>
</screen>
</section>
<section><info><title>Specifying the engine on the command line</title></info>
-
+
<para>
When using OpenSSL-based PKCS#11, the "engine" to be used by
OpenSSL can be specified in <command>named</command> and all of
$ <userinput>dnssec-signzone -E '' -S example.net</userinput>
</screen>
<para>
- This causes
+ This causes
<command>dnssec-signzone</command> to run as if it were compiled
without the --with-pkcs11 option.
</para>
</para>
</section>
<section><info><title>Running named with automatic zone re-signing</title></info>
-
+
<para>
If you want <command>named</command> to dynamically re-sign zones
using HSM keys, and/or to to sign new records inserted via nsupdate,
then <command>named</command> must have access to the HSM PIN. In OpenSSL-based PKCS#11,
this is accomplished by placing the PIN into the openssl.cnf file
- (in the above examples,
+ (in the above examples,
<filename>/opt/pkcs11/usr/ssl/openssl.cnf</filename>).
</para>
<para>
</xsl:variable>
</xsl:stylesheet>
-<!--
+<!--
- Local variables:
- mode: sgml
- End:
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- ISC customizations for Docbook-XSL chunked HTML generator -->
+<!-- ISC customizations for Docbook-XSL chunked HTML generator -->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
</xsl:stylesheet>
-<!--
+<!--
- Local variables:
- mode: sgml
- End:
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- ISC customizations for Docbook-XSL HTML generator -->
+<!-- ISC customizations for Docbook-XSL HTML generator -->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
</xsl:stylesheet>
-<!--
+<!--
- Local variables:
- mode: sgml
- End:
<!-- $Id$ -->
-<!-- Tweaks to Docbook-XSL HTML for producing flat ASCII text. -->
+<!-- Tweaks to Docbook-XSL HTML for producing flat ASCII text. -->
<xsl:stylesheet xmlns:xsl="http://www.w3.org/1999/XSL/Transform" version="1.0"
xmlns:l="http://docbook.sourceforge.net/xmlns/l10n/1.0">
</xsl:stylesheet>
-<!--
+<!--
- Local variables:
- mode: sgml
- End:
<xsl:text>.ad l </xsl:text>
</xsl:variable>
- <!--
+ <!--
- Override Docbook template to insert our copyright,
- disable chunking, and suppress output of .so files.
-->
</xsl:choose>
</xsl:template>
- <!--
+ <!--
- Override Docbook template to change formatting.
- We just want the element name in boldface, no subsection header.
-->
</xsl:stylesheet>
-<!--
+<!--
- Local variables:
- mode: sgml
- End:
- PERFORMANCE OF THIS SOFTWARE.
-->
-<!-- ISC customizations for Docbook-XSL HTML generator -->
+<!-- ISC customizations for Docbook-XSL HTML generator -->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
</xsl:stylesheet>
-<!--
+<!--
- Local variables:
- mode: sgml
- End:
xmlns:db="http://docbook.org/ns/docbook">
</xsl:stylesheet>
-<!--
+<!--
- Local variables:
- mode: sgml
- End:
<!--
- Whack — into something that won't choke LaTeX.
- There's probably a better way to do this, but this will work for now.
- -->
+ -->
<xsl:stylesheet version="1.0"
xmlns:xsl="http://www.w3.org/1999/XSL/Transform"
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><command>isc-config.sh</command>
prints information related to the installed version of ISC BIND,
such as the compiler and linker flags required to compile
</refsection>
<refsection><info><title>OPTIONS</title></info>
-
+
<variablelist>
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para><command>isc-config.sh</command>
returns an exit status of 1 if
invoked with invalid arguments or no arguments at all.
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
The BIND 9 lightweight resolver library is a simple, name service
independent stub resolver library. It provides hostname-to-address
</refsection>
<refsection><info><title>OVERVIEW</title></info>
-
+
<para>
The lwresd library implements multiple name service APIs.
The standard
</para>
</refsection>
<refsection><info><title>CLIENT-SIDE LOW-LEVEL API CALL FLOW</title></info>
-
+
<para>
When a client program wishes to make an lwres request using the
native low-level API, it typically performs the following
</para>
</refsection>
<refsection><info><title>SERVER-SIDE LOW-LEVEL API CALL FLOW</title></info>
-
+
<para>
When implementing the server side of the lightweight resolver
protocol using the lwres library, a sequence of actions like the
<para/>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>lwres_gethostent</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>,
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
These functions provide bounds checked access to a region of memory
where data is being read or written.
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><function>lwres_conf_init()</function>
creates an empty
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para><function>lwres_conf_parse()</function>
returns <errorcode>LWRES_R_SUCCESS</errorcode>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>stdio</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>,
</para>
</refsection>
<refsection><info><title>FILES</title></info>
-
+
<para><filename>/etc/resolv.conf</filename>
</para>
</refsection>
</funcsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><function>lwres_context_create()</function>
creates a <type>lwres_context_t</type> structure for use in
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para><function>lwres_context_create()</function>
returns <errorcode>LWRES_R_NOMEMORY</errorcode> if memory for
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>lwres_conf_init</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>,
</funcsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
These are low-level routines for creating and parsing
lightweight resolver name-to-address lookup request and
</para>
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para>
The getaddrbyname opcode functions
<function>lwres_gabnrequest_render()</function>,
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>lwres_packet</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><function>lwres_gai_strerror()</function>
returns an error message corresponding to an error code returned by
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>strerror</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><function>lwres_getaddrinfo()</function>
is used to get a list of IP addresses and port numbers for host
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para><function>lwres_getaddrinfo()</function>
returns zero on success or one of the error codes listed in
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
These functions provide hostname-to-address and
address-to-hostname lookups by means of the lightweight resolver.
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para>
The functions
<function>lwres_gethostbyname()</function>,
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>gethostent</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>,
</refsection>
<refsection><info><title>BUGS</title></info>
-
+
<para><function>lwres_gethostbyname()</function>,
<function>lwres_gethostbyname2()</function>,
<function>lwres_gethostbyaddr()</function>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
These functions perform thread safe, protocol independent
</para>
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para>
If an error occurs,
<function>lwres_getipnodebyname()</function>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>RFC2553</refentrytitle>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
This function is equivalent to the
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para><function>lwres_getnameinfo()</function>
returns 0 on success or a non-zero error code if an error occurs.
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>RFC2133</refentrytitle>
</citerefentry>,
</para>
</refsection>
<refsection><info><title>BUGS</title></info>
-
+
<para>
RFC2133 fails to define what the nonzero return values of
<citerefentry>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><function>lwres_getrrsetbyname()</function>
gets a set of resource records associated with a
<parameter>hostname</parameter>, <parameter>class</parameter>,
<para/>
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para><function>lwres_getrrsetbyname()</function>
returns zero on success, and one of the following error codes if
an error occurred:
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>lwres</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>.
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
These are low-level routines for creating and parsing
lightweight resolver address-to-name lookup request and
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para>
The getnamebyaddr opcode functions
<function>lwres_gnbarequest_render()</function>,
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>lwres_packet</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>.
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><function>lwres_herror()</function>
prints the string <parameter>s</parameter> on
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para>
The string <errorname>Unknown resolver error</errorname> is returned by
<function>lwres_hstrerror()</function>
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>herror</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>,
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><function>lwres_net_ntop()</function>
converts an IP address of protocol family
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para>
If successful, the function returns <parameter>dst</parameter>:
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>RFC1884</refentrytitle>
</citerefentry>,
</funcsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
These are low-level routines for creating and parsing
lightweight resolver no-op request and response messages.
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para>
The no-op opcode functions
<function>lwres_nooprequest_render()</function>,
</para>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>lwres_packet</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>
</funcsynopsis>
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para>
These functions rely on a
<type>struct lwres_lwpacket</type>
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para>
Successful calls to
<function>lwres_lwpacket_renderheader()</function> and
</refsynopsisdiv>
<refsection><info><title>DESCRIPTION</title></info>
-
+
<para><function>lwres_string_parse()</function>
retrieves a DNS-encoded string starting the current pointer of
</refsection>
<refsection><info><title>RETURN VALUES</title></info>
-
+
<para>
Successful calls to
<function>lwres_string_parse()</function>
</refsection>
<refsection><info><title>SEE ALSO</title></info>
-
+
<para><citerefentry>
<refentrytitle>lwres_buffer</refentrytitle><manvolnum>3</manvolnum>
</citerefentry>,
$body = "$body$_";
}
$_ = $body;
+ } elsif ($type eq "SGML" && $sysyears =~ /$this_year/) {
+ my $body = "";
+ while (<SOURCE>) {
+ # Remove trailing white space.
+ s/[ \t]*$//;
+ $body = "$body$_";
+ }
+ $_ = $body;
} else {
undef $/;
$_ = <SOURCE>;